Redazione RHC : 14 November 2025 07:30
Attackers are actively exploiting a critical flaw in Fortinet’s FortiWeb web application protection (WAF) system, which could be used as a means to conduct zero-day attacks without prior detection.
As a prime target for attackers seeking to compromise organizations’ security measures, FortiWeb serves as a critical defense mechanism, specifically designed to identify and stop malicious traffic directed at web applications.
Path traversal appears to underlie the vulnerability, allowing remote exploitation without prior access , which could lead to complete device compromise and subsequent lateral movement within networks.
On October 6, 2025, Defused shared a proof-of-concept (PoC) exploit that exposed a security flaw. This flaw allows unauthorized attackers to gain administrative privileges for both the FortiWeb Manager panel and the WebSocket interface . The flaw was discovered after Defused’s honeypot system detected genuine attacks targeting exposed FortiWeb instances .
Security firm Rapid7 subsequently confirmed the exploit’s effectiveness through testing, noting that it can create unauthorized administrator accounts such as “hax0r” on vulnerable versions. The tests revealed significant differences in response between the affected and patched versions.
With the release of FortiWeb 8.0.1 in August 2025, the exploit demonstrated the ability to return an HTTP 200 OK response containing the JSON details of a new administrator user, including encrypted passwords and associated login profiles. Subsequently, version 8.0.2, released in late October, instead displayed an HTTP 403 Forbidden error in response to a similar exploit attempt, suggesting mitigation measures should be applied.
Rapid7 pointed out that while the public PoC does not surpass version 8.0.2, it is unclear whether this update includes a deliberate silent fix or random changes.
Exploitation in the wild has been reported since October 2025, with Defused claiming targeted attacks on exposed devices. Scanning and distribution of the exploit have increased globally, affecting IP addresses in regions such as the United States, Europe, and Asia.
A well-known hacker forum posted a 0day exploit for sale on November 6, 2025, although without access to the exploit, it remains unclear whether it is actually related to this security flaw.
Organizations using FortiWeb versions prior to 8.0.2 are at immediate risk and should prioritize emergency updates or isolate management interfaces from public exposure .
Security managers are also advised to analyze logs for suspicious administrator account creation and monitor Fortinet channels for imminent disclosures.
Zero-day vulnerabilities affecting devices and applications exposed to the internet, such as FortiWeb, once again highlight a fundamental security principle: administration interfaces should never be publicly accessible . These dashboards should be isolated on segregated networks , protected by VPNs , and accessible only from internal segments or controlled jump hosts. Any time a management service remains accessible from the internet, it becomes an immediate target for automated scans, exploits, brute force attacks, and ongoing compromise attempts.
Many attacks— including those exploiting 0day— would be dramatically reduced if administrators limited the exposure of these services. And this applies not only to FortiWeb, but to every administrative tool , from firewall and router dashboards to virtualization systems, storage, backup consoles, email appliances, industrial IoT interfaces, and much more. The lack of proper segmentation and strict control over who can access these dashboards continues to be a major enabler of rapid and massive compromises. A smaller attack surface means lower risk: the first line of defense is to reduce what the internet can see.
Redazione